detection.wiki

Disable or Modify Tools: Disable or Modify Cloud Log T1685.002

Tactic: Defense Impairment

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

Authoring guide

Patterns shared across the 22 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
sourcetype19eq 19aws:cloudtrail, aws:asl, httpevent, o365:management:activity
aws::eventName17eq 16, in 2DeleteDetector, DeleteTrail, StopLogging, UpdateTrail, DeleteIPSet
aws::eventSource10eq 10, in 1cloudtrail.amazonaws.com, bedrock.amazonaws.com, guardduty.amazonaws.com, config.amazonaws.com, logs.amazonaws.com
aws::errorCode6eq 6, is_null 1success, Success
userAgent4ne 4console.amazonaws.com
Channel3eq 3
action3eq 3audit_log_streaming.update, audit_log_streaming.destroy
Operation2eq 1, in 1*AntiPhish*, *Malware*, *SafeAttachment*, Change user license.
DisabledPlans1contains 1m365_advanced_auditing
NoncurrentDays1lt 13
Workload1eq 1Exchange
property_name1eq 1extendedAuditEventCategory
reason1eq 1User initiated pause
requestParameters.enable1eq 1false
user_type1eq 1IAMUser

Top indicator values (54 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
sourcetypeeq
aws:cloudtrail
859
sourcetypeeq
aws:asl
627
sourcetypeeq
httpevent
312
sourcetypeeq
o365:management:activity
280
aws::errorCodeeq
success
512
aws::eventSourceeq
cloudtrail.amazonaws.com
410
aws::eventSourceeq
bedrock.amazonaws.com
27
aws::eventSourceeq
guardduty.amazonaws.com
24
userAgentne
console.amazonaws.com
46
aws::eventNameeq
DeleteTrail
35
aws::eventNameeq
StopLogging
35
aws::eventNameeq
UpdateTrail
36
aws::eventNameeq
DeleteDetector
23
aws::eventNameeq
DeleteLogGroup
22
aws::eventNameeq
PutBucketLifecycle
23
actioneq
audit_log_streaming.update
22
aws::eventNamein
DeleteIPSet
22
aws::eventNamein
DeleteRule
23
aws::eventNamein
DeleteRuleGroup
22
aws::eventNamein
DeleteWebACL
22
DisabledPlanscontains
m365_advanced_auditing
1
NoncurrentDayslt
3
1
Operationeq
Change user license.
1
Operationin
*AntiPhish*
1
Operationin
*Malware*
1
Operationin
*SafeAttachment*
1
Operationin
*SafeLink*
1
Operationin
Disable-*
12
Operationin
New-*
12
Operationin
Remove-*
12

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 3 rules

Splunk 19 rules